Lec 8 528 FarinazIBM-TH

7/27/2019 Lec 8 528 FarinazIBM-TH

1/27

ELEC 528 Lecture

Farinaz Koushanfar, Spring 2009

ECE and CS Depts., Rice University


2/27

Introduction

Outsourcing of IC manufacturing

Threat: addition of Trojan horse (TH) circuitry Hard (or impossible) to detect by functional tests

It may be triggerable, not always active hidden

General circuit obfuscation to make it hard to insert TH at thefoundry is almost impossible

They propose a side-channel based approach

The techniques requires destructive testing of a few ICs

The rest of the ICs will be nondestructively validated byside-channel analysis for the absence of any significantlysized Trojans


3/27

Side-channel analysis (SCA)

techniques These techniques are effective even when the

information present within the side channel ismasked with noise

More sophisticated techniques build statistical

models for noise and remove it Their side-channel approach does not require

changes to the current process and practices fordesign and fab

The technique requires additional IC fingerprintgeneration and validation step to be carried outby a trustworthy fab facility


4/27

Fingerprinting methodology

1. Select a few ICs at random from a family of ICs (i.e.,ICs with thesame mask and manufactured in the same fab).

2. Run sufficient I/O tests multiple times on the selected ICs so as toexercise all of their expected circuitry and collect one or more side-channel signals (power, EM, thermal emissions etc.) from the ICsduring these tests.

3. Use these side-channel signals to build a side-channel fingerprintfor the IC family.

4. Destructively test the selected ICs to validate that they arecompliant to the original specifications.

5. All other ICs from the same family are nondestructively validated by

subjecting them to the same I/O tests and validating that their side-channel signals are consistent with the side-channel fingerprint ofthe family.


5/27

Trojans and their side-channel

leakage

TH circuits need to be stealthy

TH ICs needs to have the same physical formfactor, pin-out and very similar I/O behavior

TH should wait for a trigger condition thathappens rarely and is hidden to testing, but iseasily triggerable by an attacker

In nondeterministic ICs, it can be more easily

encoded, but still needs to be selective Modern complex IC manufacturing leaves a lot

of room for TH insertion


6/27

TH Detection via simple SCA

The total power consumption differs, when asizeable component is added

Run the IC at a low frequency

Since the dynamic power is linearly dependent on

the clock freq. and the switching and leakage isdependent on the area

Small Trojan horses survive this test


7/27

SCA The details of the power signals from a non-Trojan AES circuit (green or

grey) with an equivalent area of 4302 2-input NAND gates and a TrojanAES circuit (blue or black) with a 10-bit counter as the Trojan which has anequivalent area of 247 2-input NAND gates.

The left circuit is clocked at 100MHz and sampled at 1 ns intervals and onthe right the circuit is clocked at 500 KHz and sampled at 200 ns intervals.The Trojan in this case is roughly 5.6% of the total circuit size.


8/27

Statistical PA

Even small THs can be distinguished by statistical analysis.

A simulation of how an average power signal would look like for theTrojan and genuine AES circuits running at 100MHz.

The signal from the genuine AES circuit is shown in green (or grey)and the additional signalintroduced by the Trojan circuit is shown in

black. Limited by the process noise and statistical variations


9/27

TH detection theory

Consider an IC I, that executes a calculation C.

Consider a power measurement Mdone on Iwhen it isexecuting the computation C.

The power trace obtained in this measurement, r(t;

I;C;M), can be modeled as consisting of fourcomponents: (a) the mean power consumptionp(t;C) (the mean is computed

over several measurements done on several ICs from the samefamily during multiple executions of the calculation C),

(b) process noise np(t; I;C), (c) measurement noise nm(t;M), and

d) possibly an extra power leakage (t; I;C) due to a Trojancircuit in I.


10/27

TH detection theory (Contd)

The power trace of a genuine IC is

rG(t; I;C;M) =p(t;C) + np(t; I;C) + nm(t;M)

The Trojan IC adds an additionalcomponent to give

rT(t; I;C;M) =p(t;C) + np(t; I;C) + nm(t;M) +

(t; I;C) They ignore measurement noise


11/27

TH Detection model

Definition 1 Trojan Detection Problem.

Given K genuine ICs I1, I2, . . . , IKand the process

noise signals np(t; I1;C), np(t; I2;C), . . . , np(t; IK;C)

generated by the ICs respectively, during theexecution of the calculation C

Given an IC IK+1with a mean power trace r(t; IK+1;C)

(mean taken over multiple executions of calculation C

with the average p(t;C) subtracted),

how can we determine if the IC IK+1contains a

Trojan circuit?


12/27

Hypothesis testing

Is the IC genuine or TH?

1. HG: r(t; IK+1;C) = np(t; IK+1;C)

2. HT: r(t; IK+1;C) = np(t; IK+1;C)+

(t; IK+1;C) The problem is viewed as a signal

characterization problem

Characterize the process noise andcheck if the signal under hypothesis

differs from it!


13/27

Characteristics of noise

Subspace projection Subspace projection, where the signal r(t; IK+1;C) and the process

noise signals np(t; I1;C), np(t; I2;C), . . . , np(t; IK;C) from knowngenuine ICs are projected in a signal subspace where signals fromTrojan and genuine ICs are likely to have different characteristics

The main obstacle in this analysis is that we do not know the Trojan

circuit or what precisely it may be trying to accomplish. The Trojan IC may be monitoring the clock, contents of a register, or

transitions on a bus. The power consumed by the Trojan may becorrelated with the clock, input or output data, result of someintermediate calculation, etc.

In absence of this knowledge apriori, it may seem that nothing shortof a full characterization of the process noise would work.


14/27

Can subspace projection help?

In their initial experiments, theycould easily find subspaces thatdistinguish b/w signal and noisew/o full characterization

Example: a simple TH circuitwhose power consumption

does not fall when the genuinepower consumption falls

An RSA computation (in greenor gray) with the process noise(in red or dark grey) and theTrojan signal (in black)

simulated via a 5% randomvariation in cell libraries acrossprocesses.


15/27

Trojan vs. process noise

Trojan power signature and processnoise in one such region of lowactivity in between two modularmultiplications

in such regions, with its relativelymuch larger magnitude the Trojan

contribution to the signal (black)stands out compared to the processnoise (green or grey).

Even when the ICs powerconsumption, and therefore thecorrelated process noise, does notfall relative to the Trojan at any

point in the computation, the TrojanICs can be detected by usingadvanced signal processingtechniques.

They will demonstrate the use ofKarhunen-Lo`eve (KL) expansion


16/27

KL expansion


17/27

KL expansion

The KL expansion provides a separationof randomness and the time variations of arandom signal

The sequence Zk(t) is referred to as theeigen value spectrum of a sample thatvaries from a sample to sample and hasno time dependency

The is the eigen vector and fixed froma sample to sample but varies with time


18/27

Experiment setup RSA circuit RSA circuits, the TH is a comparator or a counter

Their RSA design employs the left-to-right binary square and multiplyexponentiation algorithm.

Has a scalable, pipelined and high radix Montgomery Multiplier (MM)architecture to realize square or multiply operations.

Operand length, word size, pipeline depth in MM circuit are parameterized.

All simulation results in this paper were obtained for a pipeline depth of 8

and word size of 8 bits. The memories to hold operands, exponent and modulus, and the FIFO

memory necessary for the pipeline structure are omitted from thesynthesized RSA circuit.


19/27

Trojan circuit description

The first TH was a 16-bit counter with an equivalent area of 406 2-input NAND gates which occupies roughly 1.4% of the total circuitarea of the RSA circuits described earlier.

The second Trojan circuit was a simple 8-bit sequentialcomparatorwith an equivalent area of 33 2-input NAND gates.

An even simpler 3-bit combinationalcomparator with an equivalentarea of only 3 2-input NAND gates.

Note that the area of Trojan circuits used in our experiments goesfrom 406 gates to 33 gates to 3 gates, roughly an order ofmagnitude decrease at each step.


20/27

Exp -1

Experiment 1: 512-Bit RSA Circuit with a 16-Bit Counter Based Trojan and with 2%Parameter Variations


21/27

Exp -2

Experiment 2: 256-Bit RSA Circuit with

the 16-Bit Counter Based Trojan and

with 5% Parameter Variations


22/27

Exp - 3

Experiment 3: 256-bit RSA Circuit with

the 8-bit Sequential Comparator Based

TH and with 5% Parameter Variations

Trojan signals (blue or black) inside (top figure) and outside (bottom

figure) the process noise envelopes (green or grey), Experiment 3.


23/27

Exp - 4

Experiment 4: 256-bit RSA Circuit with

3-bit Combinational Comparator Based

TH and 7.5% Parameter Variations


24/27

More experiments


25/27

More experiments


26/27

More experiments


27/27

Conclusion

Demonstrated the feasibility of building effective fingerprints for anIC family to detect Trojan ICs.

Designed and synthesized an RSA circuit and three different Trojancircuits.

The power traces obtained from the simulations of these circuits to

built the IC fingerprints. They modeled three sets of process variations by creating random

variations (up to 2%, 5% and 7.5%) in the cell libraries that wereused to synthesize the designs.

In all cases, fairly simple analysis of the power signals coulddistinguish genuine ICs from those containing Trojan circuits down

to 0.01% of the size of the main circuit. In general it is difficult to hide signal distortions introduced by a

Trojan circuit as a Trojan circuit leaks signal in signal subspacesthat are not present in genuine ICs.

Lec 8 528 FarinazIBM-TH

Documents

Transcript of Lec 8 528 FarinazIBM-TH